55 replies to this topic

[Jamie Todd Rubin]

The two questions I get more than any others when it comes to going paperless are as follows:

• What about backups (if for some reason, Evernote was not accessible)?
• Aren't you worried about security/identity theft/etc.?

I was tempted to write a separate blog post for this but thought a post here in the forum would be good to better allow full discussion of these important questions. What follows is my personal take. Everyone has to gauge these issues for themselves. And let me be clear from the start: no one at Evernote asked me to write this post. This is based entirely on my own experience because I do get asked these questions a lot. Just look at the comment threads to the posts I've written.

Backing up paperless data

In all the time I've been using Evernote (well over a year) there has never been a time when I couldn't access my data. Evernote seems to have better uptime than a lot of other cloud-services I've used. In my day job, I'm a software developer and I know how difficult it can be to keep servers up and running. I give Evernote high marks for this so far. When they do have an outage, they announce it through several channels, among them:

• Twitter (@evernote, @evernotestatus)
• status.evernote.com

That said, having worked in IT for 20 years, I've learned to plan for the unexpected. Here is how I ensure that I have backups of my data and access to my most important documents, even if Evernote is down.

• My data is not stored directly on my computer. At home, my data is not stored directly on my laptop but on a 1 TB external hard disk. If something happens to my computer, the data on the external disk is still safe and sound.
• My data is also backed up to the cloud. I use a product called IDrive which allows me to backup up to 5 machines and my WordPress website. The software works on Windows, Macintosh, etc. It runs nightly and I get an email when the backup is complete for each machine. I pay for a premium service that allows me to backup 500 GB of data. I think it costs me $150/year.
• Included in that cloud backup is the /user/[username]/Application Support/Evernote folder on my Mac. This is a bunch of local meta-data for Evernote that I can easily restore if I ever need to.
• Twice a year (usually 4th of July weekend and New Years) I use the "Export Notes From [Notebook]..." function to export all my notes (and related attachments) to an XML file that I store in a folder on the external hard disk (and which in turn is backed up to the cloud.)
• On my iPad, I have enabled the "Offline Notebook" feature for what I call my "Paperless Filing Cabinet" notebook, which is where most of my documents go. This allows me to access the notes and attachments in the Evernote app, even if have no Internet connection.

These five things provide me with all of the backup security I feel I need. Sure, there are things that can slip through the cracks here, but with the exception of item #4, the above provides me with good, reliable backups with almost no labor on my end.

Data Security, Identity Theft, etc.

I get asked a lot about this. The truth is I don't worry about this much. That might be naive on my part, but I have learned over the years that a few simple practices go a very long way to protecting data and preventing things like identify theft. Here are some of the practices that I use. I understand that some people feel more strongly about this than I do and again, you have to do what makes you most comfortable.

• I always use SSL when transferring data. Evernote uses SSL when data is transferred over the Internet to their servers. That means the data is encrypted over the wire.
• I always use strong passwords. A strong password is one that uses a combination of upper and lowercase letters, numbers and symbols and does not contain an English word. It is also long, more than 12 characters at least.
• I change my password frequently.
• If I feel like I need additional security, I can encrypt documents using some other encryption application before loading them into Evernote.

Of course, even the best practices can't always prevent a security breach. When I think about this eventuality, I liken it to the risk of someone breaking into my house and going through my (now non-existent) file cabinet. How can you protect against this? They've gotten through your physical security, they've breached your alarm system? What else can you do?

Not much. I do have a rider on my homeowners insurance that protects me against identity theft and I've made sure that rider is adequate to cover any possibly losses. But the truth is I'm not worried that it will come to that, just as I don't worry that someone will break into my house.

So there you have it! How I backup my paperless data and how I protect myself against unwanted intrusions. Have at it! Discuss! How do you handle backups? How do you protect your data? Are there better practices than what I've got here? I'm always interested in learning better practices and techniques.

[BurgersNFries]

Regarding security, I don't put anything sensitive in the EN cloud without password encrypting it. And since I have local notebooks that may have unencrypted, sensitive data, my EN database is stored in a Truecrypted container.

Regarding backups, I regularly backup my data to USB drives. And for many years, I've used Amazon S3 via Jungle Disk. The backup runs nightly. (I leave my computers on 24/7.) And I password encrypt my Jungle Disk "buckets". I don't like relying wholly on one backup, so that's why I use both. Plus, in the event of a hard drive crash, it's faster (and cheaper, if you pay for bandwidth to your cloud service) to restore from a USB drive that my not be totally current & then sync down the new files/changes from the cloud. (At least if you have very much data.)

[jbenson2]

That's a nice summary. Thanks

My system involves:

• Carbonite for off-site backup. It runs 24 hours a day and kicks in to find any changes whenever I am away from the computer for a few minutes. Cost is $50 a year.

• For important documents, I store them in a local non-sync'd Evernote notebook. They do not get pushed up to the Evernote cloud.

• Create manual backups of the .exb folder and local non-sync'd notebook at least once a week and always before installing an upgrade to Evernote.

• LastPass manages my 80 passwords. There is no way I could possibly remember my 14 character passwords (example: nY9X*21TqSs&6$).

• Importance of frequent password changes is subject to discussion. Pro for work related passwords. Con for personal passwords. I favor the side that does not believe it offers much benefit,

[jmpsfs]

My backup scheme:
1st layer: Time Machine (backs up the entire machine hourly)
2nd layer: SugarSync (documents and Evernote as they are changed)
Super-critical items: Dropbox (which is also backed up by SugarSync and Time Machine) I use it in addition to SugarSync for a few files that change and need to be backed up quickly, since Sugarsync can have a lag as it runs through the upload queue.
Evernote: web, iPhone, iPad, plus all the above.

It's overkill but it's all automatic and requires no administration time other than the hassle of reminding iPhone and iPad to sync. A choice to do that by cable within iTunes would be really nice but I think the idea has been flogged to death on the forums and soundly rejected by management, for what is certainly a good reason.

Security: Strong passwords, not using dictionary words, and long. Roboform. Change occasionally.

Identity theft: Quicken checks bank account and credit cards every day, so I'll see any unusual activity.

Use SSL whenever possible.

Quit worrying about it.

Edit 12/30/11 : Roboform changed its subscription system without notice once too often, so I'm using 1Password (Mac, iPad, iPhone). Where has it been all my life?

Edited by jmpsfs, 31 December 2011 - 12:54 AM.

[benjamin104]

How do you encrypt documents using some other encryption application before loading them into Evernote?

[BurgersNFries]

How do you encrypt documents using some other encryption application before loading them into Evernote?

Using whatever encryption program you prefer. There are many. IE Winrar or use a PDF viewer to password encrypt a PDF.

[jelake]

Regarding security, I don't put anything sensitive in the EN cloud without password encrypting it.

You mentioned this elsewhere and I felt stupid for not thinking of this sooner. All of a sudden I realized that I've been backing up to SugarSync (even before EN) and don't know what their encryption is (if any) to protect my data. Then the idea of knowingly sending all of my scanned docs to EN as well just raised my concern way too high. I've got medical docs, loan docs, financial statements, etc. Is it crazy to store all of that in the cloud without encryption? But the idea of using a 3rd party solution and also losing some search functionality brings me right back to where I'm at today. The whole reason I wanted to use EN for my scanned docs was for the search and tagging functionality (I suspect tagging would still work.)

2nd layer: SugarSync (documents and Evernote as they are changed)

Hummm.... I'm using SugarSync too (and loving it) for all personal files. I have NOT specifically included any EN folders and they don't appear to reside in "My Documents" in Win 7. Where is the local data stored?

Security: Strong passwords, not using dictionary words, and long. Roboform. Change occasionally.

I've been using Roboform for several years and absolutely love it. I've migrated all of my important credentials to completely random, complex passwords and don't have to remember a thing. Plus it syncs all that data between machines and stores the backup (Encrypted!!!!) in the cloud.

[BurgersNFries]

Is it crazy to store all of that in the cloud without encryption? But the idea of using a 3rd party solution and also losing some search functionality brings me right back to where I'm at today. The whole reason I wanted to use EN for my scanned docs was for the search and tagging functionality (I suspect tagging would still work.)

EN will not OCR/index any attachments like Word/Excel docs. It will also not OCR/index any encrypted data. (See this thread.) BUT...IMO, that's NBD b/c I rely primarily upon accurate titles/tags & keywords to find my docs. IDK if it's crazy or not to store sensitive info unencrypted My husband & I have Lifelock but I still prefer to be cautious b/c I'd rather not have to live through the hassle, even with Lifelock. OTOH, one of the EN employees (Heather?) stores all her info in EN w/o encrypting it.

I've been using Roboform for several years and absolutely love it. I've migrated all of my important credentials to completely random, complex passwords and don't have to remember a thing. Plus it syncs all that data between machines and stores the backup (Encrypted!!!!) in the cloud.

I've also been using Roboform for several years & also love it. Whenever I need a new password, I let it gen one - so nice!

[heffkit]

My current major concern as a relatively recent adopter of EN (in addition to the above re backup security) is reliability of local storage of mission-critical notes. This is based on a recent experience of having lost 2 hours' worth of key data in a meeting when my Android smartphone crashed & rebooted. On re-opening the note it only had the stuff I had saved before the meeting, not the 2 hours' worth I had taken during it! Don't worry, I did a within-file search of all the files from that day in the EN folder, just to be sure it wasn't there somewhere. It wasn't.

Why is there not the option to autosave a user-definable number of local backup copy versions every so often as you go along? Without this facility, I cannot commit to Evernote, which seems really great in other respects. I need my note-managing software to be bomb-proof for my mission-critical notes; as it stands, I'm afraid EN isn't. Unless I'm missing something somewhere...

[BurgersNFries]

My current major concern as a relatively recent adopter of EN (in addition to the above re backup security) is reliability of local storage of mission-critical notes. This is based on a recent experience of having lost 2 hours' worth of key data in a meeting when my Android smartphone crashed & rebooted. On re-opening the note it only had the stuff I had saved before the meeting, not the 2 hours' worth I had taken during it! Don't worry, I did a within-file search of all the files from that day in the EN folder, just to be sure it wasn't there somewhere. It wasn't.

Why is there not the option to autosave a user-definable number of local backup copy versions every so often as you go along? Without this facility, I cannot commit to Evernote, which seems really great in other respects. I need my note-managing software to be bomb-proof for my mission-critical notes; as it stands, I'm afraid EN isn't. Unless I'm missing something somewhere...

Dude. If you need something bomb-proof, good luck with that. Every system is fallible. Every system. Even paper & pen which can be lost, stolen, damaged (spill a coke on your notebook), etc. The key is to find the most reliable system (hopefully a couple) & use it (them) with care. Then, if you still encounter data loss, you just have to accept that as part of life. (shrug). Keep in mind the reliability of note taking may involve several factors. Anything computer oriented has a host of them. If the hardware malfunctions, that can cause data loss, even with the best/most reliable software. ***** happens.

Having said all that, if I were taking "mission-critical notes" & wanted them as "bomb-proof" as possible, I would:

1. Investigate & use a process for a while to run it through it's paces to make sure the hardware/software works as I think it should & to acclimate myself with the hardware/software.
2. Have at least two "systems" in play. IOW, not rely upon one app or device.

IME, with "mission-critical" stuff I want to be as "bomb-proof" as possible, I use a Livescribe pen along with a low tech Olympus voice recorder. But this is an entirely different thread. In a nutshell, with the LS pen, I get audio/handwriting & with the Olympus, I get more audio. IOW, I have three "inputs".

BTW, this is seriously OT for this thread...you should have created a different thread.

[neal105]

I'm new to EN and concerned about security of my data going up into the EN cloud. Do you think keeping a Notebook of sensitive notes/documents local is a better way to secure the data. I'm not exactly sure how local notebooks work. I've done some looking around the forum here and correct me on this. With the premium EN account I could have a local notebook on one main home computer that I could add sensitive notes and documents (insurance policy, wills, real estate mortgage info etc.) This notebook would only live local. Besides not being able to sync this notebook with the web and other devices is there any other disadvantage of working this way? Can I still search and tag this local notebook.

Thanks

[davidward]

You don't need to be a premium user to have local notebooks. Local notebooks can be searched and the notes in them can have tags. As you correctly point out, they will not be synced with EN or your other devices, so you must back them up yourself.

Many users keep sensitive data in local notebooks. Others encrypt these notes and then sync them. And some sync everything, unencyrpted. It comes down to your level of comfort (and how sensitive your data is).

I'm new to EN and concerned about security of my data going up into the EN cloud. Do you think keeping a Notebook of sensitive notes/documents local is a better way to secure the data. I'm not exactly sure how local notebooks work. I've done some looking around the forum here and correct me on this. With the premium EN account I could have a local notebook on one main home computer that I could add sensitive notes and documents (insurance policy, wills, real estate mortgage info etc.) This notebook would only live local. Besides not being able to sync this notebook with the web and other devices is there any other disadvantage of working this way? Can I still search and tag this local notebook.

Thanks

[saint78]

I posted something similar thread under Windows and I've been reading all the links people posted on threads here.

It would be beneficial if Evernote had a bit more security that it apparently has today. I wanted to store bank statements and medical records using Evernote, but I will put that off for a while.

I know it's impossible to have bombproof protection. I know even paper is never safe. If someone REALLY wants your stuff, they can break into your house and get it. But that requires someone to know who you are and know what to get. In the cloud, it's easy for some punk @ass teenager to go fishing for any type of information without knowing who I am or what he has gotten a hold of.

1. Evernote should encrypt any information stored locally, like cache.
2. Evernote should require a password everytime you start it. After some time unused, password should be required again.
3. Information should be encrypted on the server and this should be clearly stated. I haven't found anything official, other that SSL encryption of the data stream.
4. You should be able to put passwords on certain folders and encrypt these without using any external apps.
5. You should be able to turn off any security measures if you so wish to do so.

I need to investigate this a bit further....for the moment, I think Evernote is best for recipes and pictures of stuff I don't want to forget

S

[BurgersNFries]

In a nutshell, Evernote's focus is to ocr/index your notes so they are easily retrieved. That cannot be done if the notes are encrypted, since true encryption means EN would not have access to your encryption password. So it's highly unlikely more advanced encryption will be added any time soon, if ever.

As far as password protecting the app on your computer(s), as stated in the various threads, Evernote pretty much leaves that up to the user. Doubtful that will change other than maybe to have a PIN just to get into the app.

[saint78]

In a nutshell, Evernote's focus is to ocr/index your notes so they are easily retrieved. That cannot be done if the notes are encrypted, since true encryption means EN would not have access to your encryption password. So it's highly unlikely more advanced encryption will be added any time soon, if ever.

As far as password protecting the app on your computer(s), as stated in the various threads, Evernote pretty much leaves that up to the user. Doubtful that will change other than maybe to have a PIN just to get into the app.

I found this (here: http://michaelhyatt....n-evernote.html)

"Evernote can encrypt sensitive data within a note. If you have something within a note that you want to keep private—passwords, financial information, counseling notes, etc.—you can do so by highlighting the data, right-clicking, and selecting “Encrypt selected text.” You will then be prompted to enter a password. In order to view that information in the future, you (or anyone else) will have to enter the password to do so."

Problem is, most sensitive documents are PDF's, not plain text (at least mine). So you can't encrypt it with this method. I don't really care for indexing these types of documents, it's more for backup/easy retrieval than fast indexing. I know what my 2009 tax return says, I just need it up in the sky.

That's why a way to create a folder within Evernote, that is encrypted as standard and you need a password (not a pin) to open. It's that easy...

[BurgersNFries]

In a nutshell, Evernote's focus is to ocr/index your notes so they are easily retrieved. That cannot be done if the notes are encrypted, since true encryption means EN would not have access to your encryption password. So it's highly unlikely more advanced encryption will be added any time soon, if ever.

As far as password protecting the app on your computer(s), as stated in the various threads, Evernote pretty much leaves that up to the user. Doubtful that will change other than maybe to have a PIN just to get into the app.

I found this (here: http://michaelhyatt....n-evernote.html)

"Evernote can encrypt sensitive data within a note. If you have something within a note that you want to keep private—passwords, financial information, counseling notes, etc.—you can do so by highlighting the data, right-clicking, and selecting “Encrypt selected text.” You will then be prompted to enter a password. In order to view that information in the future, you (or anyone else) will have to enter the password to do so."

Problem is, most sensitive documents are PDF's, not plain text (at least mine). So you can't encrypt it with this method. I don't really care for indexing these types of documents, it's more for backup/easy retrieval than fast indexing. I know what my 2009 tax return says, I just need it up in the sky.

That's why a way to create a folder within Evernote, that is encrypted as standard and you need a password (not a pin) to open. It's that easy...

I'm not sure what point you're trying to make here. Nothing new here. Yes, as has been noted before, Evernote provides TEXT encryption. However, that is not indexed. And yes, you can password encrypt PDFs with most PDF viewers. (As I posted earlier in this thread.) I do it quite often before putting the PDF into Evernote. Again, the encrypted PDF will not be ocr'd/indexed. My point is that EN will most likely never (or at least any time soon) add any more encryption than it has (with the text encryption) because it does not coincide with it's focus of ocr'ing/indexing your notes to make them easily retrieved and since files can be encrypted using the third party app of your choice. It's that easy...

[neal105]

Asking a question here: Sounds like if you don't care about OCR/Index of the file and you can lock the PDF with a password or encrypt the file then loading the file on the EN cloud should be fine. If you have good title descriptions or tags then you should be able to find the file easily. Seems like most of the files you don't need access to very often. How many times do you need to pull up your closing docs from a refinance on your iphone? My feeling is that I will keep these files on a local notebook and just back them up to several drives as part of my back up routine. Right now I have paper tax returns in files in my house. I plan on converting them to EN local notebook. But the fact is if I need to look something up from them I'd need to look up the paper files at home now anyway. I like the idea of paperless but do I need all those files up in the cloud to access at any moment? Not really.

[BurgersNFries]

Asking a question here: Sounds like if you don't care about OCR/Index of the file and you can lock the PDF with a password or encrypt the file then loading the file on the EN cloud should be fine. If you have good title descriptions or tags then you should be able to find the file easily. Seems like most of the files you don't need access to very often. How many times do you need to pull up your closing docs from a refinance on your iphone? My feeling is that I will keep these files on a local notebook and just back them up to several drives as part of my back up routine. Right now I have paper tax returns in files in my house. I plan on converting them to EN local notebook. But the fact is if I need to look something up from them I'd need to look up the paper files at home now anyway. I like the idea of paperless but do I need all those files up in the cloud to access at any moment? Not really.

I agree with everything you said. Really, any time you may need to fork over sensitive data (tax returns, bank statements), any reliable company understands & you don't have to do it in 10 seconds or less. I still don't put bank/investment/credit card statements in the Evernote cloud. But I do have some tax returns & a few other docs with sensitive info in sync'd notebooks. Those I do encrypt. I think the only reason I put them in Evernote to begin with is just because I can and b/c there are some docs/info I'd like to have "at the ready" if I were out of town or I was having computer problems.

[saint78]

Interessting... http://antivirus.abo...evernotetip.htm

Bottom line: storing unencrypted data on an Internet-facing server is not a great idea. With that in mind, following are seven of the worst Evernote (or any cloud-based storage) tips:

• I'm a teacher. I use @evernote to create individual portfolio files for each student, documenting everything.
  Why it's bad: Compromise of the teacher's Evernote credentials potentially exposes sensitive details on students, who also likely happen to be minors. This tip is not only a security risk to those students, it potentially has legal ramifications for the teacher (and the school at which they teach).
• Store credit card statements.
  Why it's bad: Credit card statements often include the account number. Exposure could lead to increased risk of credit card fraud.
• Store login names and passwords for websites (tag with Login to see them all together)
  Why it's bad: Attackers who gain entry to your Evernote account now potentially have access to all your online accounts.
• Build family medical portfolios including medical history, allergies, pictures of medications, receipts.
  Why it's bad: In the past, cybercriminals who have stolen medical information have sometimes blackmailed the victims. Unless this is information you would feel comfortable sharing with friends, neighbors or even strangers, it is best not stored in-the-cloud.
• Keep family social security numbers (and other info) in an encrypted note for easy, secure access.
  Why it's bad: Exposure leaves your entire family at risk of identity theft. This type of sensitive information is best kept in a locked file cabinet, not in-the-cloud.
• Keep router/firewall settings (addresses, passwords, open/closed ports, etc.) handy and nearby.
  Why it's bad: Attackers who gain access can use this information to reconfigure DNS settings on your router or enable their own access to your network.
• Take a photo of your passport and send it to Evernote. If it's lost or stolen, you can still show the embassy your info.
  Why it's bad: A photo of your passport makes it that much easier for counterfeiting. A safer bet would be storing only the passport number (in encrypted form).

I've done 5 of those and I AM concerned, because none of my questions/worries really have been answered satisfactory. All those things above, that's what Evernote would be insanely great...

[BurgersNFries]

Interessting... http://antivirus.abo...evernotetip.htm

Bottom line: storing unencrypted data on an Internet-facing server is not a great idea. With that in mind, following are seven of the worst Evernote (or any cloud-based storage) tips:
(snip)
I've done 5 of those and I AM concerned, because none of my questions/worries really have been answered satisfactory. All those things above, that's what Evernote would be insanely great...

Nothing new here. Security has been discussed ad nauseum on the board. Please search the board for the "wide open databases" thread, if you want more information.

Bottom line:
- EN allows text encryption. Doubtful they will add anything more, any time soon, since their focus is to collect & easily retrieve info. Indexing cannot be done on encrypted info.
- Anything else you want in the EN cloud can be encrypted via the third party app of your choice.
- EN is not a password manager. However you can add your logins & passwords in text format & encrypt them using EN's built in text encryption, if you wish.
- you can store sensitive data locally only (non-cloud), via either a Mac or Windows desktop, if you choose to.